Whitefly
Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | Command and Scripting Interpreter | Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands.[1] | |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers.[1] | |
| Enterprise | T1574 | .001 | Hijack Execution Flow:DLL | Whitefly has used search order hijacking to run the loader Vcrodat.[1] |
| Enterprise | T1105 | Ingress Tool Transfer | Whitefly has the ability to download additional tools from the C2.[1] | |
| Enterprise | T1036 | .005 | Masquerading:Match Legitimate Resource Name or Location | Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.[1] |
| Enterprise | T1027 | .013 | Obfuscated Files or Information:Encrypted/Encoded File | |
| Enterprise | T1588 | .002 | Obtain Capabilities:Tool | |
| Enterprise | T1003 | .001 | OS Credential Dumping:LSASS Memory | |
| Enterprise | T1204 | .002 | User Execution:Malicious File | Whitefly has used malicious .exe or .dll files disguised as documents or images.[1] |